everythingpossible - stock.adobe

Securing your mobile estate – best practice for CIOs

The prevalence of mobile devices in every part of daily life is shaping how enterprises make choices about software and network infrastructure, but how do businesses go about securing these vast new endpoint estates?

This article can also be found in the Premium Editorial Download: Computer Weekly: From IT disaster to digital innovation at RBS

Nothing in life is certain, but the rise of mobile devices as the way most of us connect, interact online and get things done is here to stay – and it is shaping how enterprises make choices about software platforms and wider infrastructure.

What does this development mean when it comes to security, and particularly securing smartphones in the enterprise?

In relation to mobile phones, bring-your-own-device (BYOD) is the aspiration that sits at the heart of thinking about secure mobility for many CIOs. For many, like the Williams F1 team’s CIO, Graeme Hackland, phasing in mobile and BYOD has become a priority because smartphones are relatively insecure and untested – yet very appealing for individuals to adopt.

“Everyone wants to work on mobiles now. They are fast, available and what people reach for. So bringing these devices under the security umbrella is essential,” said Hackland when he spoke to Computer Weekly at InfoSecurity 2018.

So the challenge, according to Hackland and others, is to move fast on security while maintaining resilience in a world where absolute security is not realistic. “Any device, any data” is the aspiration for him and many, but at the same time staff want to know and feel they aren’t being over-monitored.

“If you analyse activity, the challenge is to keep it anonymised and only trigger alerts where there’s a demonstrable lack of fit with a company’s culture and behaviours. You want to leave people alone and not be dealing with noise and false positives.”

Adoption up as 5G looms

If that’s one IT leader’s perspective, the big-picture research shows us that corporates’ use of mobile devices, often in conjunction with cloud-based applications, has already gone mainstream.

A recent study commissioned by Zscaler found that almost half of respondent companies (43%) across Europe, the Middle East and Africa said more than 50% of their users are accessing cloud-based applications via a mobile device, with nearly one in three companies (29%) putting the proportion of mobile users at more than 75%. The trend was similar across all surveyed countries, with 76% of UK companies reporting more than half of mobile users accessing apps.

This picture also demonstrates how remote working is now a requirement in corporations, and that means seamless access to data and applications via smartphones becomes a must, whether those apps are hosted in the corporate datacentre or the cloud.

There’s also the unavoidable point that the shift to smartphones will only pick up with the launch of 5G, since the next generation of mobile devices have the potential to increase access performance by a factor of 10.

What’s secure? Understanding zero trust

If that’s the context, how does today’s enterprise security measure up? What’s working, what needs a rethink – and how do CIOs respond?

In a complicated space, one model to pick out in relation to mobility in the enterprise is the concept of zero trust. It is a security framework based on the principle of maintaining strict access controls and not trusting anyone by default – and that includes those already inside the network perimeter.

Chase Cunningham, the cyber security expert and principal analyst at Forrester Research who first floated the idea, says: “It’s a battlefield out there, in terms of cyber security, and a compliance-led approach doesn’t go far enough in a mobile-centric world. The perimeter model for security has failed. So security at the mobile edge, pushing to the device and user, is the way forward.

“Security at the mobile edge, pushing to the device and user, is the way forward”
Chase Cunningham, Forrester Research

“Enterprises have no choice but to be secure – and mobile edge is more robust because it enables data communication to be locally translated to a communication protocol before being sent to an organisation’s network core via the cloud.”

Another who picks out zero trust as delivering for today’s security in a mobile world is Cisco’s global cyber security adviser, Simon Minton.

“With zero trust, the user, device and application are the three key tenets to maintain security. Everything else is untrusted,” says Minton. “The idea is, you divert your resources to protecting those three and treat the network as untrusted. It’s a robust way of delivering security as mobile and BYOD takes off.”

Cunningham’s wider “zero-trust extended” model for CIOs, which builds on his original zero-trust idea, takes in:

  • The network and its use of isolation and segmentation;
  • Data, including how is data categorised, isolated, encrypted and otherwise controlled;
  • People and training: how are network users and the company’s infrastructure protected? How well trained are users?
  • Workload: How are the cloud, applications and other used elements kept secure?
  • Automation and orchestration: How do AI and IT systems generally handle distrust and verification?
  • Visibility and analysis: What blind spots can analysis show up?

In considering mobile security, it is clearly one useful model to plot next steps.

Security and SD-WAN

What’s being described, in security terms, is complicated. It’s natural, therefore, for IT directors to look to suppliers for ready-made shortcuts that do some of the heavy lifting. It’s also natural that the suppliers are ready to oblige.

When it comes to network security, software-defined WAN (SD-WAN) presents one way for enterprises to gain control of smartphone and multi-device security.

Marc Sollars, chief technology officer (CTO) of integration specialist Teneo, argues that SD-WAN is strongly supportive of mobile working and of users flipping between devices, as well as delivering network-related gains.

“SD-WAN goes a long way in security terms today, partly because providers have set up successful alliances with security suppliers and endpoint device suppliers. It means that SD-WAN and security technologies can be used in tandem to lock down remote applications and network access points for autonomous enterprises and local branches.”

Sollars also argues that it is the security play that is moving up the agenda when it comes to SD-WAN.

“Suppliers originally focused their value-add pitch to CIOs on SD-WAN’s centralised control of networks and components, path selection for application traffic, and cost savings over legacy networks. But now it’s the value in enterprise security that is increasingly being understood.”

It’s an interesting shift that many acknowledge. In organisations, different teams will traditionally focus quite separately on these two distinct areas. The network team will be driving performance and efficiency, and the mobile team will be driving user productivity and data security. But surely that will change – and it is up to CIOs to dismantle any silos.

“Flexible network provisioning will, of course, help the mobile experience, since mobile endpoints will be driving more and more of the traffic through the network,” says Ojas Rege, chief strategy officer at endpoint management provider MobileIron.

“Mobile security itself will require additional, more granular access control across the network so only trusted endpoints and apps can access business data. These mechanisms sit outside the traditional perimeter security model and fit with the zero-trust approach outlined by Forrester.”

The end-to-end offer

An extension of this off-the-shelf answer to mobile security is also there in the way that integrated IT offers from the likes of Citrix, partnering with Microsoft, now emphasise how its built-in security provision has shifted from the network perimeter to the endpoint itself.

“With Citrix Cloud, we have secure portal access from any device, and that gives us a lot of confidence in a world where all security approaches are being re-addressed”
Justin Beardsmore, Lewisham and Greenwich NHS Trust

In practice, this means organisations looking for secure mobility have an option by adopting a cloud-based integration. One example can be seen at Lewisham and Greenwich NHS Trust, which recently deployed Citrix Virtual Apps and Desktops on Microsoft Azure as part of its cloud-first strategy – with mobility and security at the heart of the transition.

In this case, the decision to adopt Citrix was led by increased demand for services from staff who are constantly mobile and require access to clinical applications while seeing patients in the community.

Justin Beardsmore, chief technology officer for Lewisham and Greenwich, says adopting cloud was always essential as community services always happen beyond the hospital.

“That means on-premise infrastructure isn’t an option. With Citrix Cloud, we have secure portal access from any device, and that gives us a lot of confidence in a world where all security approaches are being re-addressed,” he says.

Practical but limited – Henkel’s mobile update

The German consumer goods and chemicals company Henkel updated its mobile arrangements because of a growing threat from malware on devices and to meet the demands of Europe’s General Data Protection Regulation (GDPR).

Head of digital workplace mobility Marco Siedler said an initial assessment of a container-based approach to the planned upgrade drew a blank because staff in a pilot group found problems with synchronising certain mobile data, with no easy fix.

After reviewing marketplace options, Siedler opted then to work with Lookout Mobile Endpoint Security on the project, handing Lookout a brief to ensure data security for its business-critical platforms and to lock down data on corporate mobiles.

Lookout handled data by enabling staff to switch off the collection and storage of user personal data, including data collected from devices and from third-party integrations like MobileIron’s mobile device management platform.

Henkel’s workarounds applied to all corporate Android mobiles, for which it established a conditional access rule. For users, only devices with an activated Lookout for Work app were enabled to access corporate data and resources.

This pragmatic solution to Henkel’s mobile challenge is neat on one level, but also illustrates how far things have come. Three years on, today’s applications of zero-trust methods and end-to-end software integrations should mean BYOD is possible for organisations tapping smartphones and cloud-based services of any description. Mobility is widespread now, as we’ve explored, and even if the necessary enterprise-grade security isn’t necessarily always in place, the tools to deliver are there now for committed IT chiefs.

Read more on Smartphone technology